Fine grained row level access to Dynamodb via Cognito Authorizer

Question

Im able to only allow logged in users to access my Api gateway endpoint via Cognito Authorizer. The next step is to allow users to only access their data in Dynamodb. For that Im taking the role ARN (which is defined in my user group) from the lambda request event, and assuming that role before querying Dynamodb. Here's my DynamoDB policy. If I hardcode the cognito user pool sub, which matches the portion key on the table, it works, which means my policy is correct. I just can't figure out how to dynamically get the user pool sub in the policy.

```{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "dynamodb:DeleteItem",
                "dynamodb:GetItem",
                "dynamodb:PutItem",
                "dynamodb:Query",
                "dynamodb:Update*",
                "dynamodb:Delete*"
            ],
            "Resource": [
                "arn:aws:dynamodb:*:*:table/table-name-db",
                "arn:aws:dynamodb:*:*:table/table-name-db/index/*"
            ],
            "Condition": {
                "ForAllValues:StringEquals": {
                    "dynamodb:LeadingKeys": [
                        
                    ]
                }
            }
        }
    ]
}```

Answer

Does this help - https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_dynamodb_items.html

Answer

OK. I am not aware of how to accomplish this without using Cognito Identity Pools. This blog explains how you can use Cognito Identity Pools with Cognito User Pools to achieve fine-grained authorization - https://aws.amazon.com/blogs/mobile/building-fine-grained-authorization-using-amazon-cognito-user-pools-groups/

Fine grained row level access to Dynamodb via Cognito Authorizer

Relevant content